1 /* recovery.c --- FSFS recovery functionality
3 * ====================================================================
4 * Licensed to the Apache Software Foundation (ASF) under one
5 * or more contributor license agreements. See the NOTICE file
6 * distributed with this work for additional information
7 * regarding copyright ownership. The ASF licenses this file
8 * to you under the Apache License, Version 2.0 (the
9 * "License"); you may not use this file except in compliance
10 * with the License. You may obtain a copy of the License at
12 * http://www.apache.org/licenses/LICENSE-2.0
14 * Unless required by applicable law or agreed to in writing,
15 * software distributed under the License is distributed on an
16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
17 * KIND, either express or implied. See the License for the
18 * specific language governing permissions and limitations
20 * ====================================================================
26 #include "svn_pools.h"
27 #include "private/svn_string_private.h"
30 #include "low_level.h"
31 #include "rep-cache.h"
34 #include "cached_data.h"
36 #include "../libsvn_fs/fs-loader.h"
38 #include "svn_private_config.h"
40 /* Part of the recovery procedure. Return the largest revision *REV in
41 filesystem FS. Use POOL for temporary allocation. */
43 recover_get_largest_revision(svn_fs_t *fs, svn_revnum_t *rev, apr_pool_t *pool)
45 /* Discovering the largest revision in the filesystem would be an
46 expensive operation if we did a readdir() or searched linearly,
47 so we'll do a form of binary search. left is a revision that we
48 know exists, right a revision that we know does not exist. */
50 svn_revnum_t left, right = 1;
52 iterpool = svn_pool_create(pool);
53 /* Keep doubling right, until we find a revision that doesn't exist. */
57 svn_fs_fs__revision_file_t *file;
58 svn_pool_clear(iterpool);
60 err = svn_fs_fs__open_pack_or_rev_file(&file, fs, right, iterpool,
62 if (err && err->apr_err == SVN_ERR_FS_NO_SUCH_REVISION)
75 /* We know that left exists and right doesn't. Do a normal bsearch to find
77 while (left + 1 < right)
79 svn_revnum_t probe = left + ((right - left) / 2);
81 svn_fs_fs__revision_file_t *file;
82 svn_pool_clear(iterpool);
84 err = svn_fs_fs__open_pack_or_rev_file(&file, fs, probe, iterpool,
86 if (err && err->apr_err == SVN_ERR_FS_NO_SUCH_REVISION)
98 svn_pool_destroy(iterpool);
100 /* left is now the largest revision that exists. */
105 /* A baton for reading a fixed amount from an open file. For
106 recover_find_max_ids() below. */
107 struct recover_read_from_file_baton
109 svn_stream_t *stream;
114 /* A stream read handler used by recover_find_max_ids() below.
115 Read and return at most BATON->REMAINING bytes from the stream,
116 returning nothing after that to indicate EOF. */
118 read_handler_recover(void *baton, char *buffer, apr_size_t *len)
120 struct recover_read_from_file_baton *b = baton;
121 apr_size_t bytes_to_read = *len;
123 if (b->remaining == 0)
125 /* Return a successful read of zero bytes to signal EOF. */
130 if ((apr_int64_t)bytes_to_read > (apr_int64_t)b->remaining)
131 bytes_to_read = (apr_size_t)b->remaining;
132 b->remaining -= bytes_to_read;
134 return svn_stream_read_full(b->stream, buffer, &bytes_to_read);
137 /* Part of the recovery procedure. Read the directory noderev at offset
138 OFFSET of file REV_FILE (the revision file of revision REV of
139 filesystem FS), and set MAX_NODE_ID and MAX_COPY_ID to be the node-id
140 and copy-id of that node, if greater than the current value stored
141 in either. Recurse into any child directories that were modified in
144 MAX_NODE_ID and MAX_COPY_ID must be arrays of at least MAX_KEY_SIZE.
146 Perform temporary allocation in POOL. */
148 recover_find_max_ids(svn_fs_t *fs,
150 svn_fs_fs__revision_file_t *rev_file,
152 apr_uint64_t *max_node_id,
153 apr_uint64_t *max_copy_id,
156 svn_fs_fs__rep_header_t *header;
157 struct recover_read_from_file_baton baton;
158 svn_stream_t *stream;
160 apr_hash_index_t *hi;
161 apr_pool_t *iterpool;
162 node_revision_t *noderev;
165 baton.stream = rev_file->stream;
166 SVN_ERR(svn_io_file_seek(rev_file->file, APR_SET, &offset, pool));
167 SVN_ERR(svn_fs_fs__read_noderev(&noderev, baton.stream, pool, pool));
169 /* Check that this is a directory. It should be. */
170 if (noderev->kind != svn_node_dir)
171 return svn_error_create(SVN_ERR_FS_CORRUPT, NULL,
172 _("Recovery encountered a non-directory node"));
174 /* Get the data location. No data location indicates an empty directory. */
175 if (!noderev->data_rep)
178 /* If the directory's data representation wasn't changed in this revision,
179 we've already scanned the directory's contents for noderevs, so we don't
180 need to again. This will occur if a property is changed on a directory
181 without changing the directory's contents. */
182 if (noderev->data_rep->revision != rev)
185 /* We could use get_dir_contents(), but this is much cheaper. It does
186 rely on directory entries being stored as PLAIN reps, though. */
187 SVN_ERR(svn_fs_fs__item_offset(&offset, fs, rev_file, rev, NULL,
188 noderev->data_rep->item_index, pool));
189 SVN_ERR(svn_io_file_seek(rev_file->file, APR_SET, &offset, pool));
190 SVN_ERR(svn_fs_fs__read_rep_header(&header, baton.stream, pool, pool));
191 if (header->type != svn_fs_fs__rep_plain)
192 return svn_error_create(SVN_ERR_FS_CORRUPT, NULL,
193 _("Recovery encountered a deltified directory "
196 /* Now create a stream that's allowed to read only as much data as is
197 stored in the representation. Note that this is a directory, i.e.
198 represented using the hash format on disk and can never have 0 length. */
200 baton.remaining = noderev->data_rep->expanded_size;
201 stream = svn_stream_create(&baton, pool);
202 svn_stream_set_read2(stream, NULL /* only full read support */,
203 read_handler_recover);
205 /* Now read the entries from that stream. */
206 entries = apr_hash_make(pool);
207 err = svn_hash_read2(entries, stream, SVN_HASH_TERMINATOR, pool);
210 svn_string_t *id_str = svn_fs_fs__id_unparse(noderev->id, pool);
212 err = svn_error_compose_create(err, svn_stream_close(stream));
213 return svn_error_quick_wrapf(err,
214 _("malformed representation for node-revision '%s'"),
217 SVN_ERR(svn_stream_close(stream));
219 /* Now check each of the entries in our directory to find new node and
220 copy ids, and recurse into new subdirectories. */
221 iterpool = svn_pool_create(pool);
222 for (hi = apr_hash_first(pool, entries); hi; hi = apr_hash_next(hi))
226 svn_node_kind_t kind;
227 const svn_fs_id_t *id;
228 const svn_fs_fs__id_part_t *rev_item;
229 apr_uint64_t node_id, copy_id;
230 apr_off_t child_dir_offset;
231 const svn_string_t *path = apr_hash_this_val(hi);
233 svn_pool_clear(iterpool);
235 str_val = apr_pstrdup(iterpool, path->data);
237 str = svn_cstring_tokenize(" ", &str_val);
239 return svn_error_create(SVN_ERR_FS_CORRUPT, NULL,
240 _("Directory entry corrupt"));
242 if (strcmp(str, SVN_FS_FS__KIND_FILE) == 0)
243 kind = svn_node_file;
244 else if (strcmp(str, SVN_FS_FS__KIND_DIR) == 0)
248 return svn_error_create(SVN_ERR_FS_CORRUPT, NULL,
249 _("Directory entry corrupt"));
252 str = svn_cstring_tokenize(" ", &str_val);
254 return svn_error_create(SVN_ERR_FS_CORRUPT, NULL,
255 _("Directory entry corrupt"));
257 SVN_ERR(svn_fs_fs__id_parse(&id, str, iterpool));
259 rev_item = svn_fs_fs__id_rev_item(id);
260 if (rev_item->revision != rev)
262 /* If the node wasn't modified in this revision, we've already
263 checked the node and copy id. */
267 node_id = svn_fs_fs__id_node_id(id)->number;
268 copy_id = svn_fs_fs__id_copy_id(id)->number;
270 if (node_id > *max_node_id)
271 *max_node_id = node_id;
272 if (copy_id > *max_copy_id)
273 *max_copy_id = copy_id;
275 if (kind == svn_node_file)
278 SVN_ERR(svn_fs_fs__item_offset(&child_dir_offset, fs,
279 rev_file, rev, NULL, rev_item->number,
281 SVN_ERR(recover_find_max_ids(fs, rev, rev_file, child_dir_offset,
282 max_node_id, max_copy_id, iterpool));
284 svn_pool_destroy(iterpool);
289 /* Part of the recovery procedure. Given an open non-packed revision file
290 REV_FILE for REV, locate the trailer that specifies the offset to the root
291 node-id and store this offset in *ROOT_OFFSET. Do temporary allocations in
294 recover_get_root_offset(apr_off_t *root_offset,
296 svn_fs_fs__revision_file_t *rev_file,
300 svn_stringbuf_t *trailer;
305 SVN_ERR_ASSERT(!rev_file->is_packed);
307 /* We will assume that the last line containing the two offsets (to the root
308 node-id and to the changed path information) will never be longer than 64
311 SVN_ERR(svn_io_file_seek(rev_file->file, APR_END, &end, pool));
313 if (end < sizeof(buffer))
315 len = (apr_size_t)end;
320 len = sizeof(buffer);
321 start = end - sizeof(buffer);
324 SVN_ERR(svn_io_file_seek(rev_file->file, APR_SET, &start, pool));
325 SVN_ERR(svn_io_file_read_full2(rev_file->file, buffer, len,
328 trailer = svn_stringbuf_ncreate(buffer, len, pool);
329 SVN_ERR(svn_fs_fs__parse_revision_trailer(root_offset, NULL, trailer, rev));
334 /* Baton used for recover_body below. */
335 struct recover_baton {
337 svn_cancel_func_t cancel_func;
341 /* The work-horse for svn_fs_fs__recover, called with the FS
342 write lock. This implements the svn_fs_fs__with_write_lock()
343 'body' callback type. BATON is a 'struct recover_baton *'. */
345 recover_body(void *baton, apr_pool_t *pool)
347 struct recover_baton *b = baton;
348 svn_fs_t *fs = b->fs;
349 fs_fs_data_t *ffd = fs->fsap_data;
350 svn_revnum_t max_rev;
351 apr_uint64_t next_node_id = 0;
352 apr_uint64_t next_copy_id = 0;
353 svn_revnum_t youngest_rev;
354 svn_node_kind_t youngest_revprops_kind;
356 /* The admin may have created a plain copy of this repo before attempting
357 to recover it (hotcopy may or may not work with corrupted repos).
358 Bump the instance ID. */
359 SVN_ERR(svn_fs_fs__set_uuid(fs, fs->uuid, NULL, pool));
361 /* We need to know the largest revision in the filesystem. */
362 SVN_ERR(recover_get_largest_revision(fs, &max_rev, pool));
364 /* Get the expected youngest revision */
365 SVN_ERR(svn_fs_fs__youngest_rev(&youngest_rev, fs, pool));
369 Since the revprops file is written after the revs file, the true
370 maximum available revision is the youngest one for which both are
371 present. That's probably the same as the max_rev we just found,
372 but if it's not, we could, in theory, repeatedly decrement
373 max_rev until we find a revision that has both a revs and
374 revprops file, then write db/current with that.
376 But we choose not to. If a repository is so corrupt that it's
377 missing at least one revprops file, we shouldn't assume that the
378 youngest revision for which both the revs and revprops files are
379 present is healthy. In other words, we're willing to recover
380 from a missing or out-of-date db/current file, because db/current
381 is truly redundant -- it's basically a cache so we don't have to
382 find max_rev each time, albeit a cache with unusual semantics,
383 since it also officially defines when a revision goes live. But
384 if we're missing more than the cache, it's time to back out and
385 let the admin reconstruct things by hand: correctness at that
386 point may depend on external things like checking a commit email
387 list, looking in particular working copies, etc.
389 This policy matches well with a typical naive backup scenario.
390 Say you're rsyncing your FSFS repository nightly to the same
391 location. Once revs and revprops are written, you've got the
392 maximum rev; if the backup should bomb before db/current is
393 written, then db/current could stay arbitrarily out-of-date, but
394 we can still recover. It's a small window, but we might as well
397 /* Even if db/current were missing, it would be created with 0 by
398 get_youngest(), so this conditional remains valid. */
399 if (youngest_rev > max_rev)
400 return svn_error_createf(SVN_ERR_FS_CORRUPT, NULL,
401 _("Expected current rev to be <= %ld "
402 "but found %ld"), max_rev, youngest_rev);
404 /* We only need to search for maximum IDs for old FS formats which
405 se global ID counters. */
406 if (ffd->format < SVN_FS_FS__MIN_NO_GLOBAL_IDS_FORMAT)
408 /* Next we need to find the maximum node id and copy id in use across the
409 filesystem. Unfortunately, the only way we can get this information
410 is to scan all the noderevs of all the revisions and keep track as
413 apr_pool_t *iterpool = svn_pool_create(pool);
415 for (rev = 0; rev <= max_rev; rev++)
417 svn_fs_fs__revision_file_t *rev_file;
418 apr_off_t root_offset;
420 svn_pool_clear(iterpool);
423 SVN_ERR(b->cancel_func(b->cancel_baton));
425 SVN_ERR(svn_fs_fs__open_pack_or_rev_file(&rev_file, fs, rev, pool,
427 SVN_ERR(recover_get_root_offset(&root_offset, rev, rev_file, pool));
428 SVN_ERR(recover_find_max_ids(fs, rev, rev_file, root_offset,
429 &next_node_id, &next_copy_id, pool));
430 SVN_ERR(svn_fs_fs__close_revision_file(rev_file));
432 svn_pool_destroy(iterpool);
434 /* Now that we finally have the maximum revision, node-id and copy-id, we
435 can bump the two ids to get the next of each. */
440 /* Before setting current, verify that there is a revprops file
441 for the youngest revision. (Issue #2992) */
442 SVN_ERR(svn_io_check_path(svn_fs_fs__path_revprops(fs, max_rev, pool),
443 &youngest_revprops_kind, pool));
444 if (youngest_revprops_kind == svn_node_none)
446 svn_boolean_t missing = TRUE;
447 if (!svn_fs_fs__packed_revprop_available(&missing, fs, max_rev, pool))
451 return svn_error_createf(SVN_ERR_FS_CORRUPT, NULL,
452 _("Revision %ld has a revs file but no "
458 return svn_error_createf(SVN_ERR_FS_CORRUPT, NULL,
459 _("Revision %ld has a revs file but the "
460 "revprops file is inaccessible"),
465 else if (youngest_revprops_kind != svn_node_file)
467 return svn_error_createf(SVN_ERR_FS_CORRUPT, NULL,
468 _("Revision %ld has a non-file where its "
469 "revprops file should be"),
473 /* Prune younger-than-(newfound-youngest) revisions from the rep
474 cache, taking care not to create the cache if it does not exist.
476 We do this whenever rep-cache.db exists, whether it's currently enabled
477 or not, to prevent a data loss that could result from having revisions
478 created after this 'recover' operation referring to rep-cache.db rows
479 that were created before the recover and that point to revisions younger-
480 than-(newfound-youngest).
482 if (ffd->format >= SVN_FS_FS__MIN_REP_SHARING_FORMAT)
484 svn_boolean_t rep_cache_exists;
486 SVN_ERR(svn_fs_fs__exists_rep_cache(&rep_cache_exists, fs, pool));
487 if (rep_cache_exists)
488 SVN_ERR(svn_fs_fs__del_rep_reference(fs, max_rev, pool));
491 /* Now store the discovered youngest revision, and the next IDs if
492 relevant, in a new 'current' file. */
493 return svn_fs_fs__write_current(fs, max_rev, next_node_id, next_copy_id,
497 /* This implements the fs_library_vtable_t.recover() API. */
499 svn_fs_fs__recover(svn_fs_t *fs,
500 svn_cancel_func_t cancel_func, void *cancel_baton,
503 struct recover_baton b;
505 /* We have no way to take out an exclusive lock in FSFS, so we're
506 restricted as to the types of recovery we can do. Luckily,
507 we just want to recreate the 'current' file, and we can do that just
508 by blocking other writers. */
510 b.cancel_func = cancel_func;
511 b.cancel_baton = cancel_baton;
512 return svn_fs_fs__with_all_locks(fs, recover_body, &b, pool);
projects / FreeBSD / FreeBSD.git / blob